Simple Password Compromise on MailGun

We recently had an issue with a MailGun shutdown. Their claim was that our account was compromised. They could not produce any reason that they believed this to be so, they just claimed it. There weren't any email messages sent from it, and no log ins from anyone that shouldn't be there. So pretty suspicious in the first place.

At first they claimed that our API, which is ridiculously long, was compromised. Fishy. Then, later, when they learned that we just dropped them and moved to another vendor they claimed that it was our SMTP password that was compromised due to "simplicity of the password."

Now first of all, they should have a reason to believe that the account is compromised and not just claim it. The lack of evidence there was fishy. That they claimed the API was compromised, also fishy. That they changed their story later, way more fishy.

That they claim that this password was "too simple" is utterly ridiculous and basically means that their claim is that their system exposes the password somewhere because the brute force time to crack something like this would take many times longer than the entire time that the account had existed, and if they had the slightest protection against brute force attacks it would have been essentially impossible to crack.

"At that point in time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user. We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application."

Damn, I just signed up with them yesterday. I need them for some apps I have deployed on my home server, now I'm worried because I had to give them cc info.

At least they support 2FA, so I give them some credit for that. Unlike most banks. And no, SMS or email 2FA support doesn't count as it's easily spoofed.

Just doing some site redesign stuff here. For e-commerce transaction messages (order status etc), we are trying out using a WP plugin to login to an office 365 account. I was thinking we should be using a 3rd party for it. We had used mandrill in the past and I am glad to know about mailgun and definitely won't be using them.

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

that's a pretty big assumption, that they already have your email credentials.

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

that's a pretty big assumption, that they already have your email credentials.

When you target someone that's usually first step, gain access to email account.